Title: MartinBY's Replies | WordPress.org --- # MartinBY [ ](https://wordpress.org/support/users/canoaby/) * [Profile](https://wordpress.org/support/users/canoaby/) * [Topics Started](https://wordpress.org/support/users/canoaby/topics/) * [Replies Created](https://wordpress.org/support/users/canoaby/replies/) * [Reviews Written](https://wordpress.org/support/users/canoaby/reviews/) * [Topics Replied To](https://wordpress.org/support/users/canoaby/replied-to/) * [Engagements](https://wordpress.org/support/users/canoaby/engagements/) * [Favorites](https://wordpress.org/support/users/canoaby/favorites/) Search replies: ## Forum Replies Created Viewing 10 replies - 1 through 10 (of 10 total) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[No unsafe-inline] XML-RPC possible?](https://wordpress.org/support/topic/xml-rpc-possible/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [2 years ago](https://wordpress.org/support/topic/xml-rpc-possible/#post-17741409) * Hi, for all trying to enforce security using CSP: the use of xmlrpc is a serious security problem within WP! * For me I enforce xmlrpc.php using DynDNS allow rules within .htaccess that is updated by following script via cron jobs: [GitHub – KarlAustin/htaccessDynamicIPs: A little tool for querying DynamicDNS hostnames and inserting the IPs in to a .htaccess file.](https://github.com/KarlAustin/htaccessDynamicIPs) * **This script is using 3 files** ( * _app.cfg.php_ (a configuration for the script) * [_dynamic.php_](https://github.com/KarlAustin/htaccessDynamicIPs/blob/master/dynamic.php)( the script itself) * _hostnames.dyn_ (a list of hostnames for dynv6 accounts like “dns1.dynv6.net”“ dns2.dynv6.net” … each DNS a line). * **my cronjob is setted following**:(/usr/local/php83/bin/php -f ‘_your path to script folder_/dynamic.php’ — ‘–htaccess’ ‘/_your path to htaccess file_/.htaccess’‘– hostnames’ ‘_your path to script folder_/hostnames.dyn’ ‘–ipv6’ ‘–backup’) * **The HTACCESS rule to protect xmlrpc is**: (example with replaced IP) * > > ```wp-block-code > > > #* DYNAMIC IPS -- START *# > > > > #- dns1.dynv6.net > > Require ip xxx.xxx.xxx.xxx > > #- dns2.dynv6.net > > Require ip xxx.xxx.xxx.xxx > > #- dns3.dynv6.net > > Require ip xxx.xxx.xxx.xxx > > #- dns1.dynv6.net > > Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx > > #- dns2.dynv6.net > > Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx > > #- dns3.dynv6.net > > Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx > > > > #* DYNAMIC IPS -- END *# > > > > ``` > > * The script looks for the start- and endmarks (within #* *# bracket) and creates a list of allowed ip addresses managed by dynv6 service (Require IP). * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[No unsafe-inline] XML-RPC possible?](https://wordpress.org/support/topic/xml-rpc-possible/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [2 years ago](https://wordpress.org/support/topic/xml-rpc-possible/#post-17740243) * [@mociofiletto](https://wordpress.org/support/users/mociofiletto/), thank you very much! Yes if works (with activated CSP, without collecting mode) very well. Best regards, Martin * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[No unsafe-inline] Dashboard lost Stylesheet](https://wordpress.org/support/topic/dashboard-lost-stylesheet/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [2 years ago](https://wordpress.org/support/topic/dashboard-lost-stylesheet/#post-17735120) * I got it solved only by deactivating both options for SRI… * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[No unsafe-inline] XML-RPC possible?](https://wordpress.org/support/topic/xml-rpc-possible/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [2 years ago](https://wordpress.org/support/topic/xml-rpc-possible/#post-17735111) * I use following App from Play store “[https://play.google.com/store/apps/details?id=com.jetpack.android](https://play.google.com/store/apps/details?id=com.jetpack.android)“, it uses the xml-rpc.php to manage content. * my Webpage in preparation: [https://goerres-web.de](https://goerres-web.de) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[No unsafe-inline] Dashboard lost Stylesheet](https://wordpress.org/support/topic/dashboard-lost-stylesheet/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [2 years ago](https://wordpress.org/support/topic/dashboard-lost-stylesheet/#post-17732481) * Hi Giuseppe, thank you for your quick response! * Weanwhile the Dashboard is visualized very well and I collect more details for whitelisting. * Actually only wp-login does not show the styles and images as expected (also when I deactivated plugins for hiding it). Any hint for this? * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[No unsafe-inline] Dashboard lost Stylesheet](https://wordpress.org/support/topic/dashboard-lost-stylesheet/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [2 years ago](https://wordpress.org/support/topic/dashboard-lost-stylesheet/#post-17730467) * OK, now I understand: * within ‘settings/Misc options’ I deactivated ‘Enforce policy in admin’ after this, all parts of Dashboard are visible now. * Forum: [Themes and Templates](https://wordpress.org/support/forum/themes-and-templates/) In reply to: [[NSFW] [Graphene] Customizer does not publish –> ERROR](https://wordpress.org/support/topic/customizer-does-not-publish-error/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [5 years, 9 months ago](https://wordpress.org/support/topic/customizer-does-not-publish-error/#post-13186788) * Hi, after reading some web articles, I found the reason: after deactivating the Plugin Autoptimize and reinstalling the theme: * -The theme update/Publishing works fine -The response of the Website is much faster * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Complianz - GDPR/CCPA Cookie Consent] Content-Security-Policy (CSP) & X-Frame-Options blocks POPUP](https://wordpress.org/support/topic/content-security-policy-csp-x-frame-options-blocks-popup/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [5 years, 9 months ago](https://wordpress.org/support/topic/content-security-policy-csp-x-frame-options-blocks-popup/#post-13182725) * [@rogierlankhorst](https://wordpress.org/support/users/rogierlankhorst/) , yes I agree and different browser react different on CSPs. So Safari on Ipad let me enter Matomo login but Edge on Win10 not. * Same in WP admin mode using the theme customizer: Using CSP including “frame- ancestors ‘self’ ‘unsafe-inline’ ‘unsafe-eval’” IPAD shows previews of changes, Edge blocks it for preview. So I have to remove frame-ancestors from CSP. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Complianz - GDPR/CCPA Cookie Consent] Content-Security-Policy (CSP) & X-Frame-Options blocks POPUP](https://wordpress.org/support/topic/content-security-policy-csp-x-frame-options-blocks-popup/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [5 years, 9 months ago](https://wordpress.org/support/topic/content-security-policy-csp-x-frame-options-blocks-popup/#post-13177150) * Hi Aert, * thank you very much for your quick and profund response. * Changing the policy let all work fine but reduced the security level. * Here my actual policy _default-src ‘none’ ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; object-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; script-src ‘self’ ‘unsafe-inline’‘ unsafe-eval’ ; img-src ‘self’ [https://goerres-web.de/piwik](https://goerres-web.de/piwik) [https://s.w.org](https://s.w.org) [https://wordpress.org](https://wordpress.org); style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; frame-ancestors ‘self’ ‘unsafe- inline’ ‘unsafe-eval’; frame-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’;_ * Best Regards, Martin * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Complianz - GDPR/CCPA Cookie Consent] Content-Security-Policy (CSP) & X-Frame-Options blocks POPUP](https://wordpress.org/support/topic/content-security-policy-csp-x-frame-options-blocks-popup/) * Thread Starter [MartinBY](https://wordpress.org/support/users/canoaby/) * (@canoaby) * [5 years, 9 months ago](https://wordpress.org/support/topic/content-security-policy-csp-x-frame-options-blocks-popup/#post-13172551) * Hi Aert, * no, I added following within .htaccess: (mostly as the given example by Matomo) * Strict-Transport-Security: max-age=15768000; includeSubDomains; preload Content- Security-Policy: default-src ‘self’ [https://cookiedatabase.org](https://cookiedatabase.org); script-src ‘self’ [https://goerres-web.de/piwik](https://goerres-web.de/piwik) [https://cookiedatabase.org](https://cookiedatabase.org); img-src ‘self’ [https://cookiedatabase.org](https://cookiedatabase.org) [https://goerres-web.de/piwik](https://goerres-web.de/piwik) [https://s.w.org](https://s.w.org) [https://wordpress.org](https://wordpress.org); style-src ‘self’; frame-ancestors‘ self’; frame-src ‘self’; X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Referrer-Policy: no-referrer * I tested severel variants, but also Matomo is getting problems when trying to add the Opt-out code. When using CSP Matomos login as admin fails also. * When running a scan on [https://webbkoll.dataskydd.net/de](https://webbkoll.dataskydd.net/de) the quality result is perfect. * Best regards, Martin Viewing 10 replies - 1 through 10 (of 10 total)